Once the red recording light appears we will begin
Hello and welcome to the CDSE
Cybersecurity webinar my name is Noah LaBaron and I'm the Cybersecurity
for CDSE and your host for this webinar
Our producer today is Rachel Mongeau and instructional designer with CDSE
and we are joined by our cybersecurity instructor Ms.Rebecca Morgan
Today's topic is Cyber insider threat
Before we get started Rachel will provide you with a ground-rule for today's
webinar and some instruction on how to use the tools you'll need to participate
Okay thank you Noah .Before we get started we're gonna take a quick tour
of this meeting room. In the bottom left hand corner
as marked with a green arrow you're gonna find a notes box this gives you
the call in number and any other announcements.
If you are disconnected from audio this number will always be here on the screen
Be aware that you were able to listen through your computer speakers today.
Also on the screen you'll see our notes regarding
using fullscreen. If you look at the gray banner on top of your screen
you see a full screen option there it's four arrows
and they make a square shape. You can select this button to have a larger view
of the presentation.
However when questions apprear you need to select
it again to return to the normal view and respond our your questions.
Next there is a Q&A box,
you can enter questions to presenters in here, its marked with a blue a arrow it's on the
right hand side of your screen.
Your also gonna find a file share box in a location indicated with a yellow 0:01:38.969,0:01:39.789 arrow here.
We have 4 files in a box today
Your're going to find a webinar slides in there feel free to
download those, print them out and take notes as we go. Here your're gonna see
an example of what a chat question response box looks like.
We're gonna be asking a couple chat questions today, simply
type your response into the chat box. Chat boxes are going to be floating
on top of the question and answer boxes and make sure your out of full screen mode in
order to respond.
Okay this completes our tour of the meeting room.
Back to you.
Thanks Rachel. As Noah said my name is Rebecca Morgan and Noah and I are delighted to have you all
joining us for a very
first Cybersecurity webinar here at CDSE. Many of you may have tunned in to
CDSE's Counterintelligent webinars on Insider Threat
or Potential Espionage indicators earlier this year. I think you'll find today's offerings a
nice complement to those
session. You can find these recordings on our webinar archives if you missed them.
Today we will be focusing on the cyber insider threat.
Looking at the way in which traditional espionage inidcator may manifest
themselves in a cyber environment,
a new indicator specifically related to IT insider threat.
We'll talk about some observable and reportable behavior activities
associated with the Cyber insider threat
and identify best practices to prevent and detect this threat for your
Obviously the technological revolution have changed everything about our lives.
How we conduct business, travel,
bank, date, even the way we spy. Although we're not talking about Counter
intelligence today per say
I think we'd be remiss not to take note of the way the traditional espionage
indicators translate to the cyber environment. Espionage inidcators are really
insider threat indicators excessive behaviors or activity that may indicate
that an individual is engaging in espionage
or another national security crime. All of these directly relate to the reportable
behaviors and activities
under DOD Directive 5240.06
and the NISPOM. As you learned in the CI insider threat webinar back in
if any of these behaviors occur they are reportable
and be persued by the appropriate agency. However it's important to
consider how these may change in the cyber age.
In our globalized economy foreign contacts are more common. You may have
international business partners, you might have studied abroad, maybe even have gone on
an extended TDY.
In the past develop foreign contacts but it may be resulted in a Christmas card
exchange once a year.
Today however it's likely to result
in facebook, instant messaging, email,
texting. How do you determine if someone has a close and continuing foreign
Most likely these internet interactions will take place at least in part
in a digital environment. Also
issues that loyalty or foreign preference will likely be noted in blogs, web
postes or social media.
And not all but certainly very many issues involving this handling of
our security violations are going to revolve around Information Security Systems.
In the cyber age
some of these well known indicators may even move to obserlesant.
Why travel halfway around the world to meet your spy handler
when you can transmit information by throwing it in Dropbox and
get paid in bitcoin. Knowing that this information
reportable behaviors and activities indicative of espionage
and other national security crime is all housed in a digital environment.
How does it change what will be reported and by whom?
As a Security Officer or FSO or
Information System Security manager, are you seeing regular reports that monitor
annonymous behavior in automated information systems?
What is your cyber security staff level of expertise in identifying such
These are all questions worth asking as you develop your insider threat
in cybersecurity programs that your organization. Another thing to consider
is that insider threat
involves more than just a spy. The term insider encompasses spys, sabators thiefs and more.
The US computer emergency response team joined together
with DoD Personal Security research center
In the conduct of a study called Comparing insider IT sabatoge and espionage and 0:06:04.000,0:06:08.070 they determined that both categories are encompassed in the same threat base
differentiated only by the nature of the damage caused.
The bottom line IT insiders by virtue of legitimate
access to their organizations information systems and networks
pose a significant risk to organization. For example:
Employees experiencing financial problems have found it easy to use the
information systems they use at work every day
to commit fraud. Other employees motivated by financial problems,greed
the desire to obtain a business advantage or they wish to impress a new
have stolen confidential data, proprietary information
or intellectual property. Employees have even used their technical abilities to sabotage
their employers systems
or network in revenge for negative work-related events.
Given a broad range of illicit activities associated with the insider
how would you define the cyber insider threat?
Please enter your responses in the chatbox. 0:07:14.509,0:07:16.150 I see some good answers out there.
Anyone, it could anyone of us,
unhappy employees, we're seeing disgruntled
employees, yeah lots of good answers and really the key to the definition is
The fiber insider threat has been defined as a current or former employee,
contractor, vendor or other business partner who has or had authorized access
to an organization's network
system or data and intentionally exceeded or misused that access
that access in a manner that negatively affected the confidentiality,
integrity or availability of the organization's information or
information systems. The IT insider threat is
uniquely disturbing because cyberspace offers greater security to the
perpetrator in cases involving insiders.
Although auditors or similar cyber security measures may flag elicit downloads or
insiders may be able to master behavior it can also quickly transfer vast
amounts of data
often causing damage before most organizations even detect the problem.
That problem is exacerbated by our failure to detect malicious IT insider. This was
exhibited in that joint
US cert DoD study which revealed that in cases of insider IT sabatoe and espionage
there were specific commonalities among the cyber insider threat
and amongst the organizations vicitimized. The study found that most sabatores and spies
common personal predispositions that contributed to their risk of committing
and we'll discuss this in detail in a minute. Also in most cases stressful
events including organizational sanctions and unmet expectations in the
workplace things like
reprimands or failure to get an expected promotion, raise, or level of access
contributed to the likelihood of insider
IT sabotage and espionage. In most organizations concerning behaviors were often
and during insider IT sabotage an espionage
but they were never acted upon. Technical action such as the downloading
use of hacking tools, failure to document activities, unauthorized access and the setup and use of
back door accounts by insiders could have alerted the organization to plan for
ongoing malicious attack. Many organizations ignored or fail to detect
will violations and those were just the facilities that had rules in place. In many
instances there was a complete lack of physical and electronic access controls
to begin with.
So I said we would talk about the personal predispositions noted in the study
and they tended to fall into these categories. Serious mental health
disorders included alcohol and drug addiction,
history of physical spousal abuse, panic attack
and diagnose mental health issues. Personality problems included
bullying, sensitivity to criticism, a sense of entitlement, impulse control
and self esteem deficits. Social skill in decision-making deficits were identified
as conflicts with co-workers, hygiene problems,
extreme shyness and bullying. Finally
a history of rule violations with a parent in many of these cases and
included not just IT related offenses such as hacking
but also petty theft, misuse of resources, falsyfying of information
and other violations of office policy.
So we just spent all this time describing the characteristic of the IT insider
threat when maybe I should have just refered you back to the character of Milton from O:10:50.880,0:10:55.430 Office Space. I don't know how many of you saw or remember that movie, I know Noah and
Rachel both have seen it. Miton was a supremely nurdy co-worker who 0:10:59.720,0:11:04.420 exhibited every trait we just discussed and was subject to all sorts of perceived
or real sanctions and unmet
His included moving his
office to the basement, missing paychecks
he was the one guy not to get cake at the office birthday party
and unforgivably they stole his swing line stapler.
And in the end he turned out to be quite the insider threat
blowing up the office building. But
based on everything we just discussed to describe traits of cyber insider
including the noted personal predisposition, which character is more
cause for concern?
Would it be Milton the socially awkward classic nerd
or Peter the clean-cut well-liked around the office classic cool guy?
Put your responses in the chatbox. Ok, I see a lot of people saying Milton,
a few votes for Peter and a number of you coming up with the answer that is
both. Looks like a lot of people do remember this movie
and I see you've all picked up on that true idea which is of course,
that relying on a profile that all IT insiders are going to look like your
classic geek with tape on the glasses and pocket protectors is false.
The fact is both men are a threat, in the movie Milton may blow up the building but
Peter first used a simple algorythym to rob the company blind.
Although every office has a guy like Milton
someone everybody may make fun of or even feel sorry for and I notice Rachel
making a sad face when I was describing the hygiene issues of our poor guy.
Every office also has a guy like Peter who actually was exhibiting some of the
behaviors as well.
He had conflicts with coworkers however deserving those coworkers may have been.
He might have also had a sense of entitlement, maybe some impulse control
issues as well.
And you may be thinking isn't all the steps
screened out during the hiring process. Well
some of these issues may become apparent during a suitability or
security investigation. Many won't and you can't deny a clearance just because
somebody has b.o.
And also many of these will not become apparent at all
until you work with someone for a while.
Nor is this to say that every insider threat can be reduced to these characters,
the nerd or the flippin too cool for school guy.
Thruthfully anyone with authorized access to your IT systems may pose a threat.
As such we cannot rely on a profile, they need to look at specific behaviors an
activities of individuals
to help us detect and determine melicious insiders.
So we know that the key to
affected detection of fiber insider threat is paying attention to behaviors and
but what kind of things are we talking about? In addition to the traditional
espionage indicators that we mention at the top of the webinar,
which are explored more fully in our counterintelligence offering.
There are information technology specific indicators that have been identified in
cases of cyber
insider espionage and sabatoge. In the espionage cases
they involve a variety of rule violations and harmful technical actions including
downloading use of elicit software or malware, violations of acceptable use
analyst access. Many of these indicators can be detected through a combination of
technical counter measures and auditing
and all of these actions should be reported.
Things like illicit use of IT tools, violations of policy,
and attempts to hide online activity. Ask yourself, are these activities subject to
monitoring at your organization?
If so, who does the monitoring and where is it reorted?
Many of the inidicators in the sabotage cases were similar
and illustrate the range of behaviors and activities that should be considered
Again policy violations unauthorized deployment of
hardware/software and other IT tools concealment strategies.
Many people think of them as misuse of iT systems, sending risky emails, or
visiting any appropriate websites. And while these activities do pose a problem were
equally if not more concerned with network probing, creation of backdoor
accounts, installation of unauthorized hardware
and the other items identified here. Consider not just the elisted technical
policy violations. Such as using co-workers machines and access codes, failure or refusual
to document systems or software
and the retention of company property after termination.
These behaviors are all considered reportable activity under DoD directive 5240.6
enclosure 3 which is attached in the fileshare box below.
They can also be reported as adverse information regarding a clear contractor
under the NISPOM chapter 1 302.A. Solicite cyber activity is
a crime like any other and the elements of any criminal activity
natually involve the following factors. Opportunity
which in the case of cyber insider threat comes in the form of access to
Motive and really there are as many motives as there are people,
fifteen minutes of fame, ego, new job,
anger, divided loyalty, fear of failure, financial problems, iditology,
emotional needs, that means their really the same things that motivate
any of us to do any number fo things. Mos people who need money
don't spy, they get a second job. Most people disgruntled at work don't commit
they go back to school or look for a new position. People with emotional needs may
or get divorced or whatever might solve that patricular problem.
Know the real factor when it comes to those who commit elicite IT insider events
is the lack of inhabitions to betray which my be caused
by conflicting loyalty or organizational issues that often
hinges on personality problems, excessive ego,
grandiosity and risk-taking personalities for example.
All of these factors are accompanied by some sort of final trigger
often caused by stress-related to drug or alcohol abuse, rejection,
unmet expectations in the workplace, family problems, or other real or perceived
crises by the insider.
whether an individual represents a cyber insider threat remember that
don't exist in a vacuum and are likely to be accompanied by observable and
reportable behaviors related to these elements as well. Now we've spent a fair
amount of time discussing the malicious insider but
I think it's also important that we document the risks associated with
unwitting or careless insiders.Damage caused by these individuals
relating to unlawful disclosure and the integrity authenticity and availability
of information systems and data
can be just as harmful to your organization. In fact the 2005 FBI study
indicated that these individuals
we're responsible for nearly as many attacks as external perpetrators. 0:18:04.400,0:18:05.910 Unwitting perpetators could include
individuals who wittingly or unwittingly provide sensitive information
or sucumb to social engineering elicatation or other methodologies in
the digital brown.
There are also risks associated with policy violators
including those who make unathorize back up data to work from home.
I don't know if any of you are familiar with the issue that arose at the Veterans
Administration a few years back.
The agency was suffering under an extreme backlog
and in a misguided effort to alleviate the workload an
employee took home a laptop without authorization. The laptop with subsequently
stolen leading to the compromise of personally identifiable
identifiable information of 260.5 million
veterans and active-duty personnel. Yikes! right;
I mean I imagine some of our listeners today may have been among those affected by
Also don't forget that issues such as accidental deletion or modification of
composed information system security problems as well.
Alright it's time for another chat question.
You guys seem like pretty savvy
cyber awareness folks and given the issues that we've discussed
and despite what I know where you're aggressive efforts in cyber security
training and awareness in your own agencies an
organization. Let's just say an employee reports that they've downloaded an
attachment to an email
which they now suspect may have been militia. How are you going to respond to
Let's see some answers in the chat box. I
see reported immediately, disconnecting from the network at the computer,
talking to the security officer, quite a variety of answers.
Actually a lot of good ideas out there
and a lot of you probably have these practices in place right now.
However one of the things I would like to point out is that the same
issues that make an insiders threat also make them
an asset. Your
sytgem users sit right with the greatest vulnerabilities and as the targeted
external threats are really your first line of defense for detecting and
elicit cyber activity. Encouraging these users to report cyber threat information
as well as their own inadvertent policy violations are critical to effective
cyber security. Early detection of malware,
suspicious network activity an the like is essential and can make a difference between
a solvable problem
and an information security nightmare. As such
it's important to consider your response when users report violations.
And I did see a lot of good responses out there. Just remember though
if you fly off the handle or impose harsh sanctions when an individual tells you
about an attachment that they downloaded without authorization, you can bet they're
definitely not gonna tell you about the other time when they shared their
Measure your response to this situation remind your users that early reporting is
and that information security is the primary goal, not
punishment. Alright we've covered a lot of information
regarding cyber insider threat, discussing espionage
indicators in a digital environment, personality traits, specific technical
and behavioral indicators that the cyber insider threat as well as motives and
It's all good stuff but it's sometimes hard to know how to incorporate that into a
successful cyber security program at your organization.
As we discussed many of the potential indicators of cyber insider threat, both
and behavioral, are observable an reportable. Addressing these issues
within your cyber security awareness and training can increase your ability to
detect and deter the cyber insider threat. In addition
having well-planned incident response will not only enhance your capability to
handle current issues
but encourage an open door policy where employees are likely to report
a variety of cybersecurity threats and vulnerabilities to you.
I also find that operational exercises are an extremely effective training tool.
I'm not sure if any of you have heard this a few years ago but the Department of Homeland
took a number of thumb drives and CDs
scuffed them up a little bit adn threw them into the parking lot of a couple a federal
agencies in the DC metro area.
Of those items that were thrown around the parking lot, over ninety percent were
retrieved by federal employees
and of the retrieved items sixty percent were immediately deployed
on to federal computer workstations. Not brought to the IT desk, not brought to the
put directly into the systems. Now this was an operational exercise
and the materials were provided by DHS.
It amounted to basically a gotcha for those individuals.
But if that's any indication of how individuals behave with this type of
it shows that we've got a big problem on our hands.
Employing an exercise like this is far more effective than just giving a briefing
or maybe doing a point and click type of presentation.
Not that this will prevent everyone from engaging in this behavior
but I guarantee the folks involved, probably the co workers as well,
those individuals that deployed the Memory Stick
will never do it again.
There's some other factors that can enhance your ability to prevent and detect cyber
When establishing best practices it's important to consider a multi-layered
multi-disciplined approach. In addition to following information assurance
guidelines for employing
technical measures designed to protect information systems.
Consider the roles of personnel security, help for perhaps in identifying some of the personnel
issues which may contribute to cyber insider threat.
Physical security which can impact access and other factors,
as well as industrial security, foreign ownership control, influence issues,
supply chain, risk mitigation, operation security and
Continuity of Operations Planning. It's only by incorporating
each of these security disciplines enter the application of the defense application
hat we can begin to mitigate our approach by limiting access,
increasing reporting in detection, honing our responses
an deploying effective deterrent. Please see the cybersecurity
and best-practice documents identified in the fiel share box below
for more information on the prevention and detection of fiber insider threat.
As we discussed elicit cyber incidents both external and insider based are
under DoD directive D5240.6 enclosure 3.
A copy of the directive is located in the file Share box.
Insider cyber incidents are also subject to reporting under the National Industrial
under NISPOM chapter 1, 301 and 1-302a.Cyber
insider threats have become increasingly sophisticated
and the harmony inflicted causes more damage to our economy, our companies and our
than most external threats combined. Please remember,
you truly are our first line of defense in an effort to detect, deter and defeat
the cyber insider threat.
No one sits closer to our most critical assets or better understands our most
than you. And in the case of the cyber insider,
no one else may be closer to our greatest threat,a threat that could linger
just across the conference table 0:25:22.540,0:25:26.380 or down the hall. I'm looking at you Rachel.
No, she doesn't exhibit any of the behavior but anybody could.
I want to thank everybody for tunning into our first Cybersecurity webinar
series. We hope you'll join us for our next presentation on Trusted Downloads
coming out this summer.
I'll pass it back to our curriculum manager Noah LeBaron.
Thank you Rebecca for that amazing presentation. Let's look at some of the 0:25:46.659,0:25:49.909 questions that came in during the webinar.
First question, who is required to have a program for cyber insider threat?
For Federal Agencies, White House memorandum dated 11/27/2012,
handling guidance for the National insider threat policy and minimum standard,
under Executive Order 13587,
requires the establishment of an entire threat program.
Next question, what exactly is the requirement for industry?
At this time there's no NISP requirement for industry to establish an insider
However, conforming change in the NISPOM, expect that in FY15
will likely have insider threat program requirements.
Next question, can you provide examples of reportable CI events?
In addition to the items mentioned in the webinar slides, please refer to
DoD Directive a 5240.06,
included as a downloadable file in this webinar.
Last question, which industries best practices or strategies can lower
level information assurance practicioners to use the best to medigate this
threat? Following the best practices just in our downloadable handouts,
an employee in a multidisciplinary approach can be very effective in
the terrain and neutralizing the cyber insider threat.
Anyway, we have run out of time to answer remaining questions,
however we will answer those questions off line and be sure to post responses
along with the trend script from today's webinar.
Your feedback on
today's webinar is very important to us an is greatly appreciated. So I hope you'll
take a moment to participate in the short survey
and since we are always looking for ideas for future webinar topics,
if there's a topic you would like to see, make sure to identify that topic or
topics in your survey.
The survey may now be visible on your screen or may appear as a new tab
on your web browser. Thanks to everyone for
joining us today. As Rebecca mentioned at the start of our webnar our previous
and PEI webinars also provide
relevant training. We've provided the link to these webinars
here. Also please be sure to visit the
CDSE Cyber Security web page and check out some of our exciting offerings
e-learning, instructor-led courses and shorts. For Rebecca Morgan,
Rachel Montgeau and all of CDSE this is Noah LeBaron
saying thanks for spending your time with us today.
Have a great day.